[tor-relays] Recommended reject lines for relays affected by Heartbleed

Andrea Shepard andrea at torproject.org
Thu Apr 17 19:12:00 UTC 2014


On Thu, Apr 17, 2014 at 08:58:46PM +0200, Lars Kumbier wrote:
> I'm supposedly running one of the still affected tor-relays and since my
> relay is also a guard, I'm in the latest blocklist[1] (pre-upgrade
> fingerprint). I did upgrade the system on April 9th to openssl
> 1.0.1-4ubuntu5.12 - base system is an ubuntu 12.04.
> 
> According to the changelog[2], this should have fixed the heartbleed
> issue and according to this scanner[3], it should be as well. I did
> create new keys anyway, but just to be sure: Is the host[4] still
> affected as given in the blocklist?
> 
> Best,
> Lars
> __________________________________
> [1]
> https://atlas.torproject.org/#details/9AB511B6894566C1CF56043CE60077D213CF1A1A
> [2] https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
> [3] https://filippo.io/Heartbleed/#tor.kumbier.it
> [4] tor running on 5.9.165.90:443

A router at that IP with identity 9AB511B6894566C1CF56043CE60077D213CF1A1A
tested positive for Heartbleed several times, most recently at
2014-04-17 10:19:18, before testing negative at 2014-04-17 18:51:46 (all
times UTC).  If you rotate the key you should be fine, but that key is
potentially exposed.

-- 
Andrea Shepard
<andrea at torproject.org>
PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 328 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140417/adb4c661/attachment.sig>


More information about the tor-relays mailing list